Security Team and Core Development Team Member met for a Code Sprint to improve TYPO3 Security
From Oktober 14th to 16th, nine security enthusiasts met for a code sprint in Hannover, Germany at naw.info.
One of the main goals of this meeting was of course to improve the security of TYPO3. We aimed to work on things which were too complex, too time consuming or just too monotonous for fitting in our daily routine.
Here are some examples what we worked on during this weekend:
- Security Review of the new typo3.org extensions and components
We reviewed the code of extensions explicitly written for the relaunch of typo3.org but also extensions that are going to be used there which are from the TYPO3 Extension Repository. Also we had a look into the TypoScript configuration. - Discussion and initial planning of an Incident Handling System
Releasing a bulletin currently is very time consuming. Additionally the advisories are just plain text, no semantical information is avilable. We discussed how we can change that by writing a tool and already started to scetch the arcitecture of that. - Improving the TYPO3 Core
There're always things to improve. These days we for example looked into the ESAPI Code of the OWASP project and worked on integrating parts of it into TYPO3 v4.
I'm pleased to report that it worked out pretty well. Doing these things together in a small group of nice people turned out to be both productive and inspiring.
Last but not least I'd like to thank everybody who attended this event and of course thank everybody who helped making it possible.
Thanks to cron IT, neusta software development for covering the travel costs and accomodation each for one attendee.
Thanks to e-net for letting two people attend in their working time.
Special thanks go to naw.info not only for being the host for this time but also for sponsoring food and drinks for all attendees.
I enjoyed this event a lot and am looking forward to do similar meetings again, again...